08-16-2006 08:40 AM - edited 03-09-2019 03:55 PM
Hi,
I'm setting up an ASA5520 and need to setup each subnet I'm running behind the firewall with a separate public ip address. I think I can do this with policy-based nat, but now that I look at the documentation, maybe not.
Here's what I want to try:
nat (inside) 10 access-list ITS-pat
access-list ITS-pat extended permit ip a.b.c.d 255.255.255.0 host z.y.x.w
nat (inside) 20 access-list HR-pat
access-list HR-pat extended permit ip a.b.c.e 255.255.255.0 host z.y.x.t
Does it look like this will work? I'm not sure how I would test it until I put it into place.
Thanks!
Jeff
Solved! Go to Solution.
08-16-2006 08:43 AM
Jeff,
Yes this centainly can work but you will need to add a corresponding "global (outside) 10 x.x.x.x-x.x.x.x" and "global (outside) 20 x.x.x.x-x.x.x.x" sort of stament in order to get nat to actually occur.
HTH pls rate!
08-16-2006 08:43 AM
Jeff,
Yes this centainly can work but you will need to add a corresponding "global (outside) 10 x.x.x.x-x.x.x.x" and "global (outside) 20 x.x.x.x-x.x.x.x" sort of stament in order to get nat to actually occur.
HTH pls rate!
08-16-2006 08:49 AM
Thanks Mike!
It would look something like this?
global (outside) 10 z.y.x.w
nat (inside) 10 access-list ITS-pat
access-list ITS-pat extended permit ip a.b.c.d 255.255.255.0 host z.y.x.w
global (outside) 20 z.y.x.t
nat (inside) 20 access-list HR-pat
access-list HR-pat extended permit ip a.b.c.e 255.255.255.0 host z.y.x.t
Also, this would pat the internal subnets a.b.c.d to z.y.x.w
and
a.b.c.e to z.y.x.t
Right?
Thanks again!
Jeff
08-16-2006 08:53 AM
Yes! I have used such a config with success before. Good luck and please rate my post if you found it helpful!
-mike
08-16-2006 09:00 AM
Thanks!
08-16-2006 09:01 AM
Also, any ideas on how to test this? I'm not putting it in place for a while. I've always used nwtools.com to provide reversed ip lookup, don't know of anything windows based that would do the same.
08-16-2006 09:28 AM
The most reliable way is to use an old pix or one that is designated for future use that you can mock your config up with.
08-16-2006 10:22 AM
I'm doing that now. Do you have any suggestions for testing the nat on an internal network?
09-08-2006 05:41 AM
Correction to the above rules:
It should be:
access-list PAT1 permit ip a.b.c.d 255.255.255.0 any
nat (inside) 10 access-list PAT1
global (outside) 10 z.y.x.w
access-list PAT2 permit ip a.b.c.e 255.255.255.0 any
nat (inside) 20 access-list PAT2
global (outside) 20 z.y.x.t
Let me know if there should be any other corrections...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: